General
-
Target
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
-
Size
74.9MB
-
Sample
250325-x9m2ravmx5
-
MD5
c7043b9b65e252b5305634da4f5515f1
-
SHA1
129a58d2c6c4de7fcead562f9729a28e517fb6d4
-
SHA256
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
-
SHA512
cdc28eb03dcf533d19e74d7bd86962905486902c5556c448bbf0daa69be705dc1f18c7ea2c41ba8568a1910efb711edaa259a02d35108474e412b8044b719575
-
SSDEEP
1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb
Static task
static1
Behavioral task
behavioral1
Sample
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
http://176.113.115.7/mine/random.exe
Extracted
sharpstealer
https://api.telegram.org/bot7057429288:AAHYl5_27YU1Yjmuj33WKOqLVSgYtq3n-8k/getUpdates
Extracted
lokibot
https://rottot.shop/Devil/PWS/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
silverrat
1.0.0.0
clear-spice.gl.at.ply.gg:62042
SilverMutex_ZtRAjMMKxS
-
certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
-
decrypted_key
-|S.S.S|-
-
discord
https://discord.com/api/webhooks/1335733715820609557/QV6ZUiJPFo3MXmoiKBB-WTBlkHeBiFxmRY95RN_M1sHhPMswAoo2T6AL_kHvoSoCRKE0
-
key
yy6zDjAUmbB09pKvo5Hhug==
-
key_x509
dFRzdEVvbU9ZVUR2UmVzZFlPR3V3dlRGWURZdk9S
-
payload_url
https://g.top4top.io/p_2522c7w8u1.png
-
reconnect_delay
2
-
server_signature
PtC8aQAwsdmyktc6Q/l3u9a8oFTj+Ey3VIlIKXe9bX2WiEn7hNPQ0tkMLi1qQ4IBmCWOFTRIVHi2GG5zTxUlAwkitK3X3bWdHiwrf6PqZ7NdmPsSKZym4q+nKXH4df40wtjNvJ2x2m8OSi5jsVvT64/UsmRfIZbFTRp63PCTQ6lN+EL6OoW+dMidok+JH6T8pG21/HyoeykN9muipEqdoixkTFitX6aUocvGy6VZCs7eSxoXtzmYQ3tBukBHuIZAivbVLiF2aDkkpSX6763SGMYUbfASkQ/ihv1elb+XOoqprP3V4GqcllwfGzlk+8/rQD8C3cwLiQEtXgKHbyYWrNcSvis5fYgRcEDvlk2ZkbE8VQE6aNc+VN0TZNW3ldvE+h62kKCYoOb7oJDwiw86IudT01xe9YetmDuCvOIBZqGoXj0h68jOIklH4g22Fx8pOaIisv01vdSoawFzoOQNfgfZeRgjvV6QJHQiYuodn+FWlPwYxQ7FzUJy3is8d0VoJr6rG2BeEn99pW/LO+SsCfPIGZvs7oA/oEsn2BBkGVhlko0IZCxd30q3HIEIwdagGJgHVtnC5C2yMsmjV3geQMUCdRsAJEuCEVqAkTr7QQNJoSCok8jOYoOeJxzwbNzAMySliCDNoGYhhU/jnfhJKsqo355RYtvKROehEYZ0Srg=
Extracted
danabot
51.178.195.151
51.222.39.81
149.255.35.125
38.68.50.179
51.77.7.204
Extracted
quasar
1.3.0.0
nigga
niggahunter-28633.portmap.io:28633
QSR_MUTEX_m0fef2zik6JZzavCsv
-
encryption_key
E3KUWr7JQZqCWN4hstks
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Runtime Broker
-
subdirectory
SubDir
Extracted
lumma
https://t5impactsupport.world/api
https://nestlecompany.world/api
https://mercharena.biz/api
https://stormlegue.com/api
https://blast-hubs.com/api
https://blastikcn.com/api
https://lestagames.world/api
Extracted
asyncrat
0.5.6B
null
rootedkrypto-29674.portmap.host:29674
jsmjjhooulqefd
-
delay
5
-
install
true
-
install_file
Minecraft.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
Default
dropout-37757.portmap.host:55554
dropout-37757.portmap.host:37757
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
amadey
2.06
216cb1
-
install_dir
a5410c88f1
-
install_file
bween.exe
-
strings_key
98f994e2e32b679144ff91a0b2c90190
-
url_paths
/g5vpppHc/index.php
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
crimsonrat
185.136.161.124
Extracted
amadey
5.21
092155
http://176.113.115.6
-
install_dir
bb556cff4a
-
install_file
rapes.exe
-
strings_key
a131b127e996a898cd19ffb2d92e481b
-
url_paths
/Ni9kiput/index.php
Extracted
xworm
5.0
142.147.96.74:7000
buinhatduy01.ddns.net:7000
buinhatduy.duckdns.org:7000
O9hqaPBmS3qVW6ON
-
Install_directory
%AppData%
-
install_file
AggregatorHost.exe
Extracted
phemedrone
https://api.telegram.org/bot7668501460:AAH2A5oRhWUqF_EWSrJaaRppA9RgQdU2iUc/sendDocument
Extracted
http://176.113.115.7/mine/random.exe
Extracted
systembc
kdadklkoiw0239.com
Targets
-
-
Target
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
-
Size
74.9MB
-
MD5
c7043b9b65e252b5305634da4f5515f1
-
SHA1
129a58d2c6c4de7fcead562f9729a28e517fb6d4
-
SHA256
07881667044b72b47a906d99ca3522e12c6cbad62b5e2e6db7930504f604366a
-
SHA512
cdc28eb03dcf533d19e74d7bd86962905486902c5556c448bbf0daa69be705dc1f18c7ea2c41ba8568a1910efb711edaa259a02d35108474e412b8044b719575
-
SSDEEP
1572864:Z6x3bF0F9U7b7ewHkli+ouzl1IBMrGZHdk/6eSDFb:UBF0Fsb7ewHkliN4km+91xb
Score10/10amadeyasyncratcrimsonratdanabotgh0stratlokibotlummaphemedronequasarsalitysharpstealersilverratxworm092155216cb1defaultnigganullagilenetbackdoorbankerbootkitbotnetcollectiondefense_evasiondiscoveryexecutionpersistencepyinstallerratspywarestealerthemidatrojanupxvmprotectdcratmodiloadersystembcxmrigcredential_accessinfostealerminer-
Amadey family
-
Asyncrat family
-
CrimsonRAT main payload
-
Crimsonrat family
-
Danabot family
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload
-
Gh0st RAT payload
-
Gh0strat family
-
Lokibot family
-
Lumma family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service
-
Modiloader family
-
Phemedrone family
-
Quasar family
-
Quasar payload
-
Sality family
-
Sharp Stealer
Sharp Stealer is an infostealer first observed in 2024, based on Echelon and Umbral stealers.
-
Sharpstealer family
-
Silverrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Systembc family
-
UAC bypass
-
Windows security bypass
-
XMRig Miner payload
-
Xmrig family
-
Xworm family
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
ModiLoader First Stage
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Windows security modification
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Modify Authentication Process
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Authentication Process
1Modify Registry
10Obfuscated Files or Information
1Command Obfuscation
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Discovery
Peripheral Device Discovery
1Process Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
6System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
2